Zenghui Liu,Yingxu Lai,Yinong Chen

DOI: https://doi.org/10.1504/ijspm.2015.072522

2015-01-01

Abstract:Considering the resource limitations of mobile terminals, such as memory capacity and battery power, it will take a large portion of resources if the complex malicious detection system is implemented in mobile terminals. We proposed the training part to be implemented on the backend server and the detecting part to be implemented on the mobile terminals. In addition, we apply permission information to the applications installed on the terminals, because permission mechanism controls the applications' accesses to sensitive information. In our method, we first employ apriori algorithm to define the permission combinations to be the initial feature and calculate the threat level of permission based on the relative deviation distances. The distances are then used as weights to the classification algorithm. In the process, we apply an integrated feature selection approach based on the principle of self-learning to extract important features to form the feature set. Finally, the minimum risk Bayes algorithm is introduced to classify unknown applications. The experimental results show that our method is effective on imbalanced datasets.

Huanran Wang,Weizhe Zhang,Hui He

DOI: https://doi.org/10.1016/j.jisa.2022.103159

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Recent years have witnessed a significant increase in the use of Android devices in many aspects of our life. However, users can download Android apps from third-party channels, which provides numerous opportunities for malware. Attackers utilize unsolicited permissions to gain access to the sensitive private intelligence of users. Since signature-based antivirus solutions no longer meet practical needs, efficient and adaptable solutions are desperately needed, especially in new variants. As a remedy, we propose a hybrid Android malware detection approach that combines dynamic and static tactics. We firstly adopt static analysis inferring different permission usage patterns between malware and benign apps based on the machine-learning-based method. To classify the suspicious apps further, we extract the object reference relationships from the memory heap to construct a dynamic feature base. We then present an improved state-based algorithm based on DAMBA. Experimental results on a real-world dataset of 21,708 apps show that our approach outperforms the well-known detector with 97.5% F1-measure. Besides, our system is demonstrated to resist permission abuse behaviors and obfuscation techniques.

Yue Li,Guangquan Xu,Hequn Xian,Longlong Rao,Jiangang Shi

DOI: https://doi.org/10.31209/2019.100000118

2019-01-01

Abstract:In order to prevent the spread of Android malware and protect privacy information from being compromised, this study proposes a novel multidimensional hybrid features extraction and analysis method for Android malware detection. This method is based primarily on a multidimensional hybrid features vector by extracting the information of permission requests, API calls, and runtime behaviors. The innovation of this study is to extract greater amounts of static and dynamic features information and combine them, that renders the features vector for training completer and more comprehensive. In addition, the feature selection algorithm is used to further optimize the extracted information to remove a number of extraneous features, and a new multi-dimensional hybrid features vector is obtained. The multi-dimensional hybrid features vector is then used to train the classification model. Finally, the unknown samples are detected and identified by using the obtained classification model. Our experiment is conducted based on 359 malicious and 500 benign applications as experimental samples, and the results indicate that our proposed method performs better in the accuracy rate of Android malware detection compared with those methods using static methods alone.

Yubo Song,Yijin Geng,Junbo Wang,Shang Gao,Wei Shi

DOI: https://doi.org/10.1155/2021/6689486

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Since a growing number of malicious applications attempt to steal users’ private data by illegally invoking permissions, application stores have carried out many malware detection methods based on application permissions. However, most of them ignore specific permission combinations and application categories that affect the detection accuracy. The features they extracted are neither representative enough to distinguish benign and malicious applications. For these problems, an Android malware detection method based on permission sensitivity is proposed. First, for each kind of application categories, the permission features and permission combination features are extracted. The sensitive permission feature set corresponding to each category label is then obtained by the feature selection method based on permission sensitivity. In the following step, the permission call situation of the application to be detected is compared with the sensitive permission feature set, and the weight allocation method is used to quantify this information into numerical features. In the proposed method of malicious application detection, three machine-learning algorithms are selected to construct the classifier model and optimize the parameters. Compared with traditional methods, the proposed method consumed 60.94% less time while still achieving high accuracy of up to 92.17%.

Haofeng Jiao,Xiaohong Li,Lei Zhang,Guangquan Xu,Zhiyong Feng

DOI: https://doi.org/10.1007/978-3-319-23829-6_40

2014-01-01

Abstract:The growth of malicious applications poses a great threat to the Android platform. In order to detect Android malware, this paper proposes a hybrid detection method based on permission. Firstly, applications are detected according to their permissions so that benign and malicious applications can be discriminated. Secondly, suspicious applications are run in order to collect the function calls related to sensitive permissions. Then suspicious applications are represented in a vector space model and their feature vectors are calculated by TF-IDF algorithm. Finally, the detection of suspicious applications is completed via security detection techniques adopting Euclidean distance and cosine similarity. At the end of this paper, an experiment including 982 samples is used as an empirical validation. The result shows that our method has a true positive rate at 91.2 % and a false positive rate at 2.1 %.

Zhen Wang,Kai Li,Yan Hu,Akira Fukuda,Weiqiang Kong

DOI: https://doi.org/10.1109/cits.2019.8862060

2019-01-01

Abstract:With the widespread use of Android applications in security-sensitive scenarios, more and more Android malware has been discovered. Existing work on malware detection fail to automatically learn effective feature interactions, which are, however, the key to the success of many prediction models. In order to detect malware efficiently and accurately, in this paper, we propose Multilevel Permission Extraction, an approach to automatically identify permission interactions that are effective in distinguishing between malicious and benign applications. We then utilize the extracted information to classify malicious and benign applications by machine learning based classification algorithms. We evaluate our approach in a large data set consisting of 4,868 benign applications and 4,868 malicious applications. The experimental results show that our malware detection approach can achieve over 95.8% in accuracy, precision, recall, and F-Score. Compared with two state-of-the-art approaches, we can achieve a better malware detection rate of 97.88%.

Xing Liu,Jiqiang Liu

DOI: https://doi.org/10.1109/MobileCloud.2014.22

2014-01-01

Abstract:Android platform has become the main target of the malware developers in the past few years. One of Android's main defense mechanisms against malicious apps is a permission-based access control mechanism. It is a feasible approach to detect a potential malicious application based on the permissions it requested. In this paper, we proposed a two-layered permission based detection scheme for detecting malicious Android applications. Comparing with previous researches, we consider the apps requested permission pairs as the additional condition, and we also consider used permissions to improve detection accuracy. The result of an evaluation, performed using 28548 benign apps and 1536 malicious apps, indicates that a two-layered permission-based detector has high detection rate of malware.

Hongli Yuan,Yongchuan Tang,Wenjuan Sun,Li Liu

DOI: https://doi.org/10.1371/journal.pone.0238694

IF: 3.7

2020-09-11

PLoS ONE

Abstract:Android is the most widely used mobile operating system (OS). A large number of third-party Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to improvements of malware itself and Android system, it is difficult to design a detection method that can efficiently and effectively detect malicious apps for a long time. Meanwhile, adopting more features will increase the complexity of the model and the computational cost of the system. Permissions play a vital role in the security of the Android apps. Term Frequency—Inverse Document Frequency (TF-IDF) is used to assess the importance of a word for a file set in a corpus. The static analysis method does not need to run the app. It can efficiently and accurately extract the permissions from an app. Based on this cognition and perspective, in this paper, a new static detection method based on TF-IDF and Machine Learning is proposed. The system permissions are extracted in Android application package's (Apk's) manifest file. TF-IDF algorithm is used to calculate the permission value (PV) of each permission and the sensitivity value of apk (SVOA) of each app. The SVOA and the number of the used permissions are learned and tested by machine learning. 6070 benign apps and 9419 malware are used to evaluate the proposed approach. The experiment results show that only use dangerous permissions or the number of used permissions can't accurately distinguish whether an app is malicious or benign. For malware detection, the proposed approach achieve up to 99.5% accuracy and the learning and training time only needs 0.05s. For malware families detection, the accuracy is 99.6%. The results indicate that the method for unknown/new sample's detection accuracy is 92.71%. Compared against other state-of-the-art approaches, the proposed approach is more effective by detecting malware and malware families.

multidisciplinary sciences

Jiyun Yang,Jiang Tang,Ran Yan,Tao Xiang

DOI: https://doi.org/10.1049/cje.2020.00.217

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Shuang Liang,Xiaojiang Du

DOI: https://doi.org/10.1109/ICC.2014.6883666

2014-01-01

Abstract:With the increase use of Android mobile phones, more Android malwares are being developed. Android malware detection becomes a crucial task. In this paper, we present a permission-combination-based scheme for Android malware detection. The Android malware detection scheme is based on permission combinations declared in the application manifest file. We obtain the permission combinations that are requested frequently by malwares but rarely by benign applications. We generate rule sets based on the permission combinations. Our experimental results show that the malware detection rate is up to 96%, and the benign application recognition rate is up to 88%. Our experimental results with real malwares show that the Android malware detection scheme is very efficient and effective.

Wei Wang,Xing Wang,Dawei Feng,Jiqiang Liu,Zhen Han,Xiangliang Zhang

DOI: https://doi.org/10.1109/tifs.2014.2353996

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Android has been a major target of malicious applications (malapps). How to detect and keep the malapps out of the app markets is an ongoing challenge. One of the central design points of Android security mechanism is permission control that restricts the access of apps to core facilities of devices. However, it imparts a significant responsibility to the app developers with regard to accurately specifying the requested permissions and to the users with regard to fully understanding the risk of granting certain combinations of permissions. Android permissions requested by an app depict the app's behavioral patterns. In order to help understanding Android permissions, in this paper, we explore the permission-induced risk in Android apps on three levels in a systematic manner. First, we thoroughly analyze the risk of an individual permission and the risk of a group of collaborative permissions. We employ three feature ranking methods, namely, mutual information, correlation coefficient, and T-test to rank Android individual permissions with respect to their risk. We then use sequential forward selection as well as principal component analysis to identify risky permission subsets. Second, we evaluate the usefulness of risky permissions for malapp detection with support vector machine, decision trees, as well as random forest. Third, we in depth analyze the detection results and discuss the feasibility as well as the limitations of malapp detection based on permission requests. We evaluate our methods on a very large official app set consisting of 310 926 benign apps and 4868 real-world malapps and on a third-party app sets. The empirical results show that our malapp detectors built on risky permissions give satisfied performance (a detection rate as 94.62% with a false positive rate as 0.6%), catch the malapps' essential patterns on violating permission access regulations, and are universally applicable to unknown malapps (detection rate as 74.03%).

Guanhong Tao,Zibin Zheng,Ziying Guo,Michael R. Lyu

DOI: https://doi.org/10.1109/tr.2017.2778147

IF: 5.883

2018-01-01

IEEE Transactions on Reliability

Abstract:The dramatic rise of Android application (app) marketplaces has significantly gained the success of convenience for mobile users. Consequently, with the advantage of numerous Android apps, Android malware seizes the opportunity to steal privacy-sensitive data by pretending to provide functionalities as benign apps do. To distinguish malware from millions of Android apps, researchers have proposed sophisticated static and dynamic analysis tools to automatically detect and classify malicious apps. Most of these tools, however, rely on manual configuration of lists of features based on permissions, sensitive resources, intents, etc., which are difficult to come by. To address this problem, we study real-world Android apps to mine hidden patterns of malware and are able to extract highly sensitive APIs that are widely used in Android malware. We also implement an automated malware detection system, MalPat, to fight against malware and assist Android app marketplaces to address unknown malicious apps. Comprehensive experiments are conducted on our dataset consisting of 31 185 benign apps and 15 336 malware samples. Experimental results show that MalPat is capable of detecting malware with a high F-1 score (98.24%) comparing with the state-of-the-art approaches.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

XIONG Ping,WANG Xiaofeng,NIU Wenjia,ZHU,Tianqing

2018-01-01

Abstract:Smartphone platforms became plenty of and plenty of widespread recently. to defend sensitive resources at intervals the good phones, permission-based isolation mechanism is used by trendy Smartphone systems to prevent un-trusted apps from unauthorized accesses. In Android, an application should expressly request a group of permissions once it's place in. However, once permissions unit of measurement granted to Associate in Nursing application, there is no due to examine and compel but these permissions unit of measurement utilized by the app to utilize sensitive resources. whereas these malware apps unit of measurement clear examples containing undesirable behaviors’, sadly even in supposedly benign applications, there may even be many hidden undesirable behaviors’ like privacy invasion. During this papers we've planned a changed malware detection formula that works on the permission based mostly analysis and reviews submitted by the users of the applying on the server.

Zhuo Ma,Haoran Ge,Yang Liu,Meng Zhao,Jianfeng Ma

DOI: https://doi.org/10.1109/ACCESS.2019.2896003

IF: 3.9

2019-01-01

IEEE Access

Abstract:Android malware severely threaten system and user security in terms of privilege escalation, remote control, tariff theft, and privacy leakage. Therefore, it is of great importance and necessity to detect Android malware. In this paper, we present a combination method for Android malware detection based on the machine learning algorithm. First, we construct the control flow graph of the application to obtain API information. Based on the API information, we innovatively construct Boolean, frequency, and time-series data sets. Based on these three data sets, three detection models for Android malware detection regarding API calls, API frequency, and API sequence aspects are constructed. Ultimately, an ensemble model is constructed for conformity. We tested and compared the accuracy and stability of our detection models through a large number of experiments. The experiments were conducted on 10010 benign applications and 10683 malicious applications. The results show that our detection model achieves 98.98% detection precision and has high accuracy and stability. All of the results are consistent with the theoretical analysis in this paper.

Ming Yang,Shan Wang,Zhen Ling,Yaowen Liu,Zhenyu Ni

DOI: https://doi.org/10.1002/cpe.4172

2017-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryIn recent years, with the prevalence of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and even money from mobile and bank accounts, it is important to detect potential malicious behaviors so as to block them. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection. A customized Android system is built to record apps' API calls, permission uses, and some other runtime features. We also develop an automated app behavior inspection platform to install and inspect massive samples so as to collect apps' dynamic behavior records. Then these records are exploited to train a string subsequence kernel–based Support Vector Machine (SVM) model, which can be used to classify benign and malicious behaviors offline. To realize online detection, we further extract apps' runtime features including sensitive permission combination uses, sensitive behavior sequences, and user interactions for behavior classification. The classification results can reach an accuracy of 84.9% in offline phase and 99.0% in online phase. Besides, we verify our scheme for identifying malicious apps, and the results show that 71.8% instances of malware samples are identified by running each app for only 18 minutes.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Xiang Li,Jianyi Liu,Yanyu Huo,Ru Zhang,Yuangang Yao

DOI: https://doi.org/10.1109/CCIS.2016.7790261

2016-01-01

Abstract:As one of the most developed intelligent operating systems on mobile devices, Android has taken the most part of the cell phone market. A rapid increase in the number of mobile applications make them more and more relevant to people's daily lives than ever before. Due to Android's security mechanism and the validation lack of publishing Android apps, Android malware detection still remains to be a critical issue. To solve this problem, this paper found that the statistical information of Android components (mainly activity) from the Manifest file cannot be ignored, based on the traditional method of Android permission detection. In this paper, a new feature vector is extracted from the AndroidManifest file, which combines the permission information and the component information of the Android application. We combine the naive Bias classification algorithm, and propose a malicious application detection method based on AndroidManifest file information. The experimental results show that the new method performance better than that of the traditional permission detection.

Hui Li,Hailing Zhang,Xue Chen,Dan Liao,Ming Zhang

DOI: https://doi.org/10.21203/rs.3.rs-1592245/v1

2022-01-01

Abstract:Abstract In recent years, the rapid increase in the number and type of Android malware has brought great challenges and pressure to malware detection systems. As a widely used method in android malware detection, static detecting has been a hot topic in academia and industry. However, in order to improve the accuracy of detection, the existing static detecting methods sacrifice the excessively high analysis complexity and time cost. Moreover, the correlation between static features leads to redundancy of a large amount of data. Therefore, this paper proposes a static detecting method of Android malware based on sensitive pattern. It uses an improved FP-growth algorithm to mine frequent combinations of sensitive permissions and API calls in malicious apps and benign apps, which avoids the generation of redundant information. In addition, this paper adopts multi-layered gradient boosting decision trees algorithm to train the detection model. And a dual similarity combination method is proposed to measure the similarity between different sensitive patterns. The experimental results show that our proposed detection method has high accuracy and great generalization ability.

Yi-Ming Chen,Tzung-Han Jeng,Yung-Ching Shyong

DOI: https://doi.org/10.1109/ICCCI49374.2020.9145994

2020-06-01

Abstract:Nowadays Android smart mobile devices have become the main target of malware developers, so detecting and preventing Android malware has become an important issue of information security. Therefore, this paper proposes an Android application classification system that combines static permissions and dynamic packet analysis. This system first obtains the static information of Android applications through static analysis, classifies the applications as benign or malicious through machine learning, and avoids excessive dynamic data collection time by filtering out benign applications. Then in the dynamic analysis stage, the malware's network traffic is used to extract multiple types of features, and then machine learning is used to achieve the malware family classification. The experimental results showed that the accuracy rate of the static model for malicious and benign classification was 98.86%. On the other hand, the accuracy of the dynamic model proposed in this paper for family classification of applications is 96%, which is better than 94.33% of DroidClassifier [1]. The final experiment confirmed that the system proposed in this paper can not only save 52.5% of dynamic data collection time but also improve the accuracy of Android application family classification.

Computer Science